Display errors during IDP authentication

- login callback page will output the error returned by the IDP in case
of a misconfiguration
- User can configured desired IDP scopes via CONSOLE_IDP_SCOPES env
  variable
- User can configured desired IDP Token expiration time via
  CONSOLE_IDP_TOKEN_EXPIRATION env variable

Author: Alevsk

pkg/auth/idp/oauth2/config.go

@@ -66,3 +66,13 @@ var defaultSaltForIdpHmac = utils.RandomCharString(64)
 func getSaltForIdpHmac() string {
 	return env.Get(ConsoleIdpHmacSalt, defaultSaltForIdpHmac)
 }
+
+// getIdpScopes return default scopes during the IDP login request
+func getIdpScopes() string {
+	return env.Get(ConsoleIDPScopes, "openid,profile,app_metadata,user_metadata,email")
+}
+
+// getIdpTokenExpiration return default token expiration for access token (in seconds)
+func getIdpTokenExpiration() string {
+	return env.Get(ConsoleIDPTokenExpiration, "3600")
+}

pkg/auth/idp/oauth2/const.go

@@ -18,11 +18,13 @@ package oauth2
 
 const (
 	// const for idp configuration
-	ConsoleMinIOServer       = "CONSOLE_MINIO_SERVER"
-	ConsoleIdpURL            = "CONSOLE_IDP_URL"
-	ConsoleIdpClientID       = "CONSOLE_IDP_CLIENT_ID"
-	ConsoleIdpSecret         = "CONSOLE_IDP_SECRET"
-	ConsoleIdpCallbackURL    = "CONSOLE_IDP_CALLBACK"
-	ConsoleIdpHmacPassphrase = "CONSOLE_IDP_HMAC_PASSPHRASE"
-	ConsoleIdpHmacSalt       = "CONSOLE_IDP_HMAC_SALT"
+	ConsoleMinIOServer        = "CONSOLE_MINIO_SERVER"
+	ConsoleIdpURL             = "CONSOLE_IDP_URL"
+	ConsoleIdpClientID        = "CONSOLE_IDP_CLIENT_ID"
+	ConsoleIdpSecret          = "CONSOLE_IDP_SECRET"
+	ConsoleIdpCallbackURL     = "CONSOLE_IDP_CALLBACK"
+	ConsoleIdpHmacPassphrase  = "CONSOLE_IDP_HMAC_PASSPHRASE"
+	ConsoleIdpHmacSalt        = "CONSOLE_IDP_HMAC_SALT"
+	ConsoleIDPScopes          = "CONSOLE_IDP_SCOPES"
+	ConsoleIDPTokenExpiration = "CONSOLE_IDP_TOKEN_EXPIRATION"
 )

pkg/auth/idp/oauth2/provider.go

@@ -25,6 +25,7 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	"strconv"
 	"strings"
 	"time"
 
@@ -115,12 +116,14 @@ func NewOauth2ProviderClient(ctx context.Context, scopes []string, httpClient *h
 	if err != nil {
 		return nil, err
 	}
+	// below verification should not be necessary if the user configure exactly the
+	// scopes he need, will be removed on a future release
 	if u.Host == "google.com" {
 		scopes = []string{oidc.ScopeOpenID}
 	}
-	// If provided scopes are empty we use a default list
+	// If provided scopes are empty we use a default list or the user configured list
 	if len(scopes) == 0 {
-		scopes = []string{oidc.ScopeOpenID, "profile", "app_metadata", "user_metadata", "email"}
+		scopes = strings.Split(getIdpScopes(), ",")
 	}
 	client := new(Provider)
 	client.oauth2Config = &xoauth2.Config{
@@ -177,9 +180,22 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state string)
 			return nil, errors.New("invalid token")
 		}
 
+		// expiration configured in the token itself
+		expiration := int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds())
+
+		// check if user configured a hardcoded expiration for console via env variables
+		// and override the incoming expiration
+		userConfiguredExpiration := getIdpTokenExpiration()
+		if userConfiguredExpiration != "" {
+			expiration, _ = strconv.Atoi(userConfiguredExpiration)
+		}
+		idToken := oauth2Token.Extra("id_token")
+		if idToken == nil {
+			return nil, errors.New("returned token is missing id_token claim")
+		}
 		return &credentials.WebIdentityToken{
-			Token:  oauth2Token.Extra("id_token").(string),
-			Expiry: int(oauth2Token.Expiry.Sub(time.Now().UTC()).Seconds()),
+			Token:  idToken.(string),
+			Expiry: expiration,
 		}, nil
 	}
 	stsEndpoint := GetSTSEndpoint()

portal-ui/src/screens/LoginPage/LoginCallback.tsx

@@ -14,31 +14,48 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import React, { FC, useEffect } from "react"; // eslint-disable-line @typescript-eslint/no-unused-vars
+import React, { FC, useEffect, useState } from "react"; // eslint-disable-line @typescript-eslint/no-unused-vars
 import { RouteComponentProps } from "react-router";
 import storage from "local-storage-fallback";
 import api from "../../common/api";
 
 const LoginCallback: FC<RouteComponentProps> = ({ location }) => {
+  const [error, setError] = useState<string>("");
+  const [errorDescription, setErrorDescription] = useState<string>("");
   useEffect(() => {
     const code = (location.search.match(/code=([^&]+)/) || [])[1];
     const state = (location.search.match(/state=([^&]+)/) || [])[1];
-    api
-      .invoke("POST", "/api/v1/login/oauth2/auth", { code, state })
-      .then((res: any) => {
-        if (res && res.sessionId) {
-          // store the jwt token
-          storage.setItem("token", res.sessionId);
-          // We push to history the new URL.
-          window.location.href = "/";
-        }
-      })
-      .catch((res: any) => {
-        window.location.href = "/login";
-      });
-    // eslint-disable-next-line react-hooks/exhaustive-deps
+    const error = (location.search.match(/error=([^&]+)/) || [])[1];
+    const errorDescription = (location.search.match(
+      /error_description=([^&]+)/
+    ) || [])[1];
+    if (error != undefined || errorDescription != undefined) {
+      setError(error);
+      setErrorDescription(errorDescription);
+    } else {
+      api
+        .invoke("POST", "/api/v1/login/oauth2/auth", { code, state })
+        .then((res: any) => {
+          if (res && res.sessionId) {
+            // store the jwt token
+            storage.setItem("token", res.sessionId);
+            // We push to history the new URL.
+            window.location.href = "/";
+          }
+        })
+        .catch((res: any) => {
+          window.location.href = "/login";
+        });
+      // eslint-disable-next-line react-hooks/exhaustive-deps
+    }
   }, []);
-  return null;
+  return error != "" || errorDescription != "" ? (
+    <div>
+      <h2>IDP Error:</h2>
+      <p>{error}</p>
+      <p>{errorDescription}</p>
+    </div>
+  ) : null;
 };
 
 export default LoginCallback;